Ludicrous Home > Manuals and HowTo's > Secure your Apache Web Server with a Certificate

Secure your Apache Web Server with a Certificate You can find a really good manual from Van on this matter. Other manuals: Raible: The Apache + SSL HOWTO Securing A Website With Client SSL Certificates How to Create the SSL X.509 Certificates? Here I'll give just a small resume about the essential steps. [ Setup your own CA (Certificate Authority) ] [ Create the key ] [ Create the certificate ] [ Review the certificate ] [ Make a key and a certificate for the web server ] [ Move generated keys into Apache folders ] [ Configure the Apache web server ] [ Restart the web server ] [ Web Server Key Password ] Setup your own CA (Certificate Authority) In order to run a secure (SSL/TLS encrypted) web server, you have to have a private key and a certificate for the server. Create the key [root]# openssl genrsa -des3 -out my-ca.key 2048 Generating RSA private key, 2048 bit long modulus .....................................................+++ ...................................................+++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: Create the certificate [root]# openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt Using configuration from /usr/share/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Kentucky Locality Name (eg, city) [Newbury]:Fayette County Organization Name (eg, company) [My Company Ltd]:VanEmery.Com Organizational Unit Name (eg, section) []:Certificate Authority Common Name (eg, your name or your server's hostname) []:VanEmery.Com CA Email Address []:hostmaster@vanemery.com Review the certificate [root]# openssl x509 -in my-ca.crt -text -noout Make a key and a certificate for the web server Now, we have to make an X.509 certificate and corresponding private key for the web server. Rather than creating a certificate directly, we will create a key and a certificate request, then "sign" the certificate request with the CA key we made previously. [root]# openssl genrsa -des3 -out mars-server.key 1024 Generating RSA private key, 1024 bit long modulus....++++++ [root]# openssl req -new -key mars-server.key -out mars-server.csr Using configuration from /usr/share/ssl/openssl.cnf Enter PEM pass phrase: ----- Organizational Unit Name (eg, section) []:Web Services Common Name (eg, your name or your server's hostname) []:mars.vanemery.com <=== This must be the real FQDN of your server!!! Email Address []:hostmaster@vanemery.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # openssl x509 -req -in mars-server.csr -out mars-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650 Signature ok... [root]# openssl x509 -in mars-server.crt -text -noout Make sure that your server name is the same as the FQDN that your clients will use when connecting to your site. Move generated keys into Apache folders Now, we need to move the new keys and certs into the proper directories in the /etc/httpd hierarchy (assuming you have two folders named ssl.crt and ssl.key in /etc/httpd/conf): [root]# cp mars-server.crt /etc/httpd/conf/ssl.crt [root]# cp mars-server.key /etc/httpd/conf/ssl.key [root]# cp my-ca.crt /etc/httpd/conf/ssl.crt Configure the Apache web server All of our changes will be made in the /etc/httpd/conf.d/ssl.conf file. # Note that the FQDN and server hostname must go here - clients will not be able to connect, otherwise! ServerName mars.vanemery.com:443 ServerAdmin webmaster@vanemery.com # Here, I am allowing only "high" and "medium" security key lengths. SSLCipherSuite HIGH:MEDIUM # Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2. SSLProtocol all -SSLv2 # Server Certificate: SSLCertificateFile /etc/httpd/conf/ssl.crt/mars-server.crt # Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mars-server.key # Server Certificate Chain: SSLCertificateChainFile /etc/httpd/conf/ssl.crt/my-ca.crt # Certificate Authority (CA): SSLCACertificateFile /etc/httpd/conf/ssl.crt/my-ca.crt # This is needed so that you can use auto-indexing for some directories in the # /var/www/SSL directory branch. This can be handy if you would like to have # a list of sensitive files for people to download. <Directory "/var/www/SSL"> Options Indexes AllowOverride None Allow from from all Order allow,deny </Directory> Restart the web server [root]# /etc/init.d/httpd start Note that you will have to enter the password for your server key in order to start the server. You will also have to do this during boot if you have httpd configured to start automatically (see below if you don't want this). Web Server Key Password If you would like to make an insecure server key that will allow Apache to start automatically at boot time, then there is a way to do this. [root]# cd /etc/httpd/conf/ssl.key [root]# cp mars-server.key mars-server.key.org [root]# openssl rsa -in mars-server.key.org -out mars-server.key [root]# chmod 0400 mars-server [ Setup your own CA (Certificate Authority) ] [ Create the key ] [ Create the certificate ] [ Review the certificate ] [ Make a key and a certificate for the web server ] [ Move generated keys into Apache folders ] [ Configure the Apache web server ] [ Restart the web server ] [ Web Server Key Password ]

Document generated by Atlassian Confluence, last changed on may 03, 2007 by Sven Rieke